SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
            Client Configuration
            Server Configuration
            Optional Configuration Settings
        User Authentication with Keyboard-Interactive >>
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Server Configuration

Host-based authentication can be enabled either by using traditional public keys or by using certificates.

Traditional Public Keys

To allow host-based authentication with traditional public keys on the server, do the following steps as ServerUser:

  1. Create a file named .shosts in the home directory of ServerUser. The contents of this file should be the client's hostname, some tabs or spaces, and the user's username on the client.
    client.example.com       ClientUser
    

    Make sure the .shosts is owned by ServerUser and its permissions are 0600.

  2. Check that the server user's home directory is owned by the user and its permissions are at most 0755 (or more restrictive, like 0700).

    If every user is allowed to write to the directory, there will be nothing to prevent them from overwriting the .shosts file with their own version with an entry for their client user, allowing them to authenticate to SSH Tectia Server as ServerUser.

Do the following steps as the server administrator:

  1. Copy the client's /etc/ssh2/hostkey.pub file over to the server. Note that this requires root permissions on the client, and optionally on the server as well.

    SSH Tectia Server is configured by default to look in one of two places on server for the host keys to use for host-based authentication:

    /etc/ssh2/knownhosts
    

    OR

    $HOME/.ssh2/knownhosts
    

    The server administrator can edit the UserKnownHosts keyword in the sshd2_config file to disable the use of the user-defined known hosts (they are allowed by default).

    If you want to allow host-based authentication to all users connecting from the client machine, you can add the public host key to /etc/ssh2/knownhosts. Root permissions are required for this method.

    If you want to allow host-based authentication only to some users, and if user-defined knownhosts are allowed, then you can instead add the keys to the $HOME/.ssh2/knownhosts directory.

    You have to name the client's public key as follows on the server:

    client.example.com.ssh-dss.pub
    

    In the example, client.example.com is the hostname the client is sending to the server. When DefaultDomain has been set on client, this name is always the long hostname (FQDN). This gives the server the client's public key so the server can verify the client user's identity based on the public key signature.

  2. In the sshd2_config file under the AllowedAuthentications keyword, add hostbased as an allowed method. For example:
    AllowedAuthentications hostbased,publickey,password
    
    If you want to allow multiple authentication methods, place the least interactive method first.
  3. Restart the server as instructed in Section Starting the Server.

To test that host-based authentication works, log in to client as ClientUser and run the following command:

$ ssh ServerUser@server uptime

You should get back the results of uptime on the server.

Certificates

To allow host-based authentication with certificates on the server, do the following steps as ServerUser:

  1. Create a file named .shosts in the home directory of ServerUser. The contents of this file should be the client's hostname, some tabs or spaces, and the user's username on the client.
    client.example.com       ClientUser
    

Do the following steps as the server administrator:

  1. Set the HostCA and LdapServers values in ssh_certd_config on server.
    HostCA                   <trusted-ca-certificate>
    LdapServers              ldap://server.domain:port
    
  2. Restart the server as instructed in Section Starting the Server.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice